Closed brett-fitz closed 1 week ago
Hi @brett-fitz, if you get this error: 'UNSUPPORTED_ERROR' => 'Cant upsert entity. Too many entities resolved' then this is expected behavior and the problem lies in the names and aliases of your intrusion sets.
In fact, if you have two different intrusion sets corresponding to this set of names and/or aliases, then OpenCTI is not able to determine which set of intrusion to select and then attach the knowledge.
To resolve this issue, simply merge your intrusion sets or edit the alias distribution in your OpenCTI platform to match the CrowdStrike data source.
When manually creating an intrusion set, you can see the number of duplicates for example:
@Megafredo Would we expect this to occur with two different entity types?
@brett-fitz If the entities are unrelated by name or alias, then yes, there is indeed a problem. We will investigate. Thanks
@Megafredo Ok thanks. I was able to fix 1/2 - "PUNK SPIDER" (CrowdStrike) / Akira (MITRE) but BERSERK BEAR is still an issue. Is there any way of getting around this to fix the connector's jobs from getting exponentially larger?
FYSA: There is no alias on the malware
The only connection I could find (outside of relationship with Dragonfly which has an alias with BERSERK BEAR) is this external reference on Havex:
More screenshots:
Note: I did merge BERSERK BEAR with Dragonfly and made Dragonfly the primary entity.
Hey @Megafredo any update on the above? Number of operations for us has gotten do 60k and steadily increasing (its ingesting all data since the last reported time in the state). Is there a stop gap fix for this?
I close the issue as discussed
Description
CrowdStrike's connector jobs are increasing at a steady rate after an issue came up with one of the STIX bundles:
Message
Source
Environment
Reproducible Steps
Steps to create the smallest reproducible scenario:
Expected Output
Connector should just import the new entities and perhaps skip the bundle that is error'ing out.
Actual Output
As we can see once the error pops up the work starts increasing likely due to this failure.
Additional information
Screenshots (optional)